[ 462.559734] syz-executor.3 (6789) used greatest stack depth: 23304 bytes left [ 463.206523] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 463.213469] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 463.222766] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 463.229892] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 463.240936] device bridge_slave_1 left promiscuous mode [ 463.247384] bridge0: port 2(bridge_slave_1) entered disabled state [ 463.260022] device bridge_slave_0 left promiscuous mode [ 463.265487] bridge0: port 1(bridge_slave_0) entered disabled state [ 463.280856] device veth1_macvtap left promiscuous mode [ 463.286602] device veth0_macvtap left promiscuous mode [ 463.291916] device veth1_vlan left promiscuous mode [ 463.297627] device veth0_vlan left promiscuous mode [ 463.371608] device hsr_slave_1 left promiscuous mode [ 463.381701] device hsr_slave_0 left promiscuous mode [ 463.394211] team0 (unregistering): Port device team_slave_1 removed [ 463.406019] team0 (unregistering): Port device team_slave_0 removed [ 463.416001] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 463.429368] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 463.458329] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.10.61' (ECDSA) to the list of known hosts. [ 465.264592] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 465.272106] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 465.283546] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 465.290329] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 465.298351] device bridge_slave_1 left promiscuous mode [ 465.303783] bridge0: port 2(bridge_slave_1) entered disabled state [ 465.311015] device bridge_slave_0 left promiscuous mode [ 465.317478] bridge0: port 1(bridge_slave_0) entered disabled state [ 465.326174] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 465.333664] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 465.342090] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 465.349269] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 465.357659] device bridge_slave_1 left promiscuous mode [ 465.363098] bridge0: port 2(bridge_slave_1) entered disabled state [ 465.370712] device bridge_slave_0 left promiscuous mode [ 465.378872] bridge0: port 1(bridge_slave_0) entered disabled state [ 465.387925] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 465.394637] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 465.402951] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 465.410156] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 465.417804] device bridge_slave_1 left promiscuous mode [ 465.423233] bridge0: port 2(bridge_slave_1) entered disabled state [ 465.431772] device bridge_slave_0 left promiscuous mode [ 465.437359] bridge0: port 1(bridge_slave_0) entered disabled state [ 465.446094] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 465.453742] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 465.461547] ================================================================== [ 465.469173] BUG: KASAN: use-after-free in batadv_iv_ogm_queue_add+0x326/0xe50 [ 465.476457] Read of size 60 at addr ffff888095c19f00 by task kworker/u4:0/7 [ 465.483557] [ 465.485165] CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 5.0.0-rc6-syzkaller #0 [ 465.492604] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 465.501954] Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet [ 465.509117] Call Trace: [ 465.511725] dump_stack+0x165/0x21a [ 465.515414] print_address_description.cold.3+0x9/0x211 [ 465.520764] ? batadv_iv_ogm_queue_add+0x326/0xe50 [ 465.525693] kasan_report.cold.4+0x1b/0x37 [ 465.529920] ? batadv_iv_ogm_queue_add+0x326/0xe50 [ 465.534921] ? batadv_forw_packet_free+0xd0/0x160 [ 465.539747] ? batadv_iv_ogm_queue_add+0x326/0xe50 [ 465.544654] check_memory_region+0x13c/0x1b0 [ 465.549060] memcpy+0x23/0x50 [ 465.552166] batadv_iv_ogm_queue_add+0x326/0xe50 [ 465.556975] ? rcu_preempt_deferred_qs_irqrestore+0x86d/0xd00 [ 465.562915] ? trace_hardirqs_on+0x28/0x190 [ 465.567220] ? batadv_iv_ogm_iface_enable+0x370/0x370 [ 465.572455] ? lock_acquire+0x180/0x3a0 [ 465.576411] ? kasan_check_read+0x11/0x20 [ 465.580548] batadv_iv_ogm_schedule+0xb47/0xe80 [ 465.585194] ? batadv_iv_ogm_queue_add+0xe50/0xe50 [ 465.590125] batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x790 [ 465.596427] ? rcu_lockdep_current_cpu_online+0xe5/0x130 [ 465.601946] process_one_work+0x7b9/0x15e0 [ 465.606180] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [ 465.610846] ? lock_acquire+0x180/0x3a0 [ 465.614858] ? _raw_spin_lock_irq+0x3c/0x90 [ 465.619188] worker_thread+0x85/0xb60 [ 465.622964] ? __kthread_parkme+0x47/0x190 [ 465.627193] kthread+0x324/0x3e0 [ 465.630569] ? process_one_work+0x15e0/0x15e0 [ 465.635035] ? kthread_park+0x120/0x120 [ 465.639001] ret_from_fork+0x24/0x30 [ 465.642690] [ 465.644289] Allocated by task 7: [ 465.647632] __kasan_kmalloc.part.0+0x66/0x100 [ 465.652189] __kasan_kmalloc.constprop.1+0xb5/0xc0 [ 465.657093] kasan_kmalloc+0x9/0x10 [ 465.660691] __kmalloc+0x164/0x3e0 [ 465.664220] batadv_tvlv_container_ogm_append+0x16f/0x4b0 [ 465.669731] batadv_iv_ogm_schedule+0xc39/0xe80 [ 465.674371] batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x790 [ 465.680683] process_one_work+0x7b9/0x15e0 [ 465.684904] worker_thread+0x85/0xb60 [ 465.688676] kthread+0x324/0x3e0 [ 465.692017] ret_from_fork+0x24/0x30 [ 465.695703] [ 465.697307] Freed by task 7528: [ 465.700579] __kasan_slab_free+0x13c/0x220 [ 465.704803] kasan_slab_free+0xe/0x10 [ 465.708576] kfree+0xcf/0x220 [ 465.711656] batadv_iv_ogm_iface_disable+0x34/0x70 [ 465.716579] batadv_hardif_disable_interface.cold.9+0x712/0x107a [ 465.722715] batadv_softif_destroy_netlink+0x94/0x100 [ 465.728000] default_device_exit_batch+0x239/0x3d0 [ 465.732938] ops_exit_list.isra.0+0xd3/0x120 [ 465.737336] cleanup_net+0x363/0x840 [ 465.741023] process_one_work+0x7b9/0x15e0 [ 465.745243] worker_thread+0x85/0xb60 [ 465.749030] kthread+0x324/0x3e0 [ 465.752370] ret_from_fork+0x24/0x30 [ 465.756106] [ 465.757729] The buggy address belongs to the object at ffff888095c19f00 [ 465.757729] which belongs to the cache kmalloc-64 of size 64 [ 465.770229] The buggy address is located 0 bytes inside of [ 465.770229] 64-byte region [ffff888095c19f00, ffff888095c19f40) [ 465.781820] The buggy address belongs to the page: [ 465.786738] page:ffffea0002570640 count:1 mapcount:0 mapping:ffff88812c3f6340 index:0xffff888095c19080 [ 465.796183] flags: 0xfffe0000000200(slab) [ 465.800318] raw: 00fffe0000000200 ffffea00027e7d88 ffffea00022751c8 ffff88812c3f6340 [ 465.808179] raw: ffff888095c19080 ffff888095c19000 0000000100000016 0000000000000000 [ 465.816047] page dumped because: kasan: bad access detected [ 465.821745] [ 465.823347] Memory state around the buggy address: [ 465.828253] ffff888095c19e00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 465.835608] ffff888095c19e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 465.842952] >ffff888095c19f00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 465.850292] ^ [ 465.853635] ffff888095c19f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 465.860977] ffff888095c1a000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 465.868312] ================================================================== [ 465.875645] Disabling lock debugging due to kernel taint [ 465.881798] Kernel panic - not syncing: panic_on_warn set ... [ 465.887695] CPU: 1 PID: 7 Comm: kworker/u4:0 Tainted: G B 5.0.0-rc6-syzkaller #0 [ 465.896532] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 465.905886] Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet [ 465.912970] Call Trace: [ 465.915539] dump_stack+0x165/0x21a [ 465.919147] ? batadv_iv_ogm_queue_add+0x310/0xe50 [ 465.924131] panic+0x212/0x40b [ 465.927309] ? __warn_printk+0xd6/0xd6 [ 465.931238] ? ___preempt_schedule+0x16/0x18 [ 465.935639] ? batadv_iv_ogm_queue_add+0x326/0xe50 [ 465.940547] end_report+0x47/0x4f [ 465.943990] kasan_report.cold.4+0xe/0x37 [ 465.948112] ? batadv_iv_ogm_queue_add+0x326/0xe50 [ 465.953040] ? batadv_forw_packet_free+0xd0/0x160 [ 465.957857] ? batadv_iv_ogm_queue_add+0x326/0xe50 [ 465.962771] check_memory_region+0x13c/0x1b0 [ 465.967156] memcpy+0x23/0x50 [ 465.970250] batadv_iv_ogm_queue_add+0x326/0xe50 [ 465.974979] ? rcu_preempt_deferred_qs_irqrestore+0x86d/0xd00 [ 465.980840] ? trace_hardirqs_on+0x28/0x190 [ 465.985140] ? batadv_iv_ogm_iface_enable+0x370/0x370 [ 465.990321] ? lock_acquire+0x180/0x3a0 [ 465.994287] ? kasan_check_read+0x11/0x20 [ 465.998410] batadv_iv_ogm_schedule+0xb47/0xe80 [ 466.003050] ? batadv_iv_ogm_queue_add+0xe50/0xe50 [ 466.007958] batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x790 [ 466.014254] ? rcu_lockdep_current_cpu_online+0xe5/0x130 [ 466.019699] process_one_work+0x7b9/0x15e0 [ 466.023926] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [ 466.028573] ? lock_acquire+0x180/0x3a0 [ 466.032522] ? _raw_spin_lock_irq+0x3c/0x90 [ 466.036819] worker_thread+0x85/0xb60 [ 466.040590] ? __kthread_parkme+0x47/0x190 [ 466.044800] kthread+0x324/0x3e0 [ 466.048144] ? process_one_work+0x15e0/0x15e0 [ 466.052632] ? kthread_park+0x120/0x120 [ 466.056584] ret_from_fork+0x24/0x30 [ 466.061576] Kernel Offset: disabled [ 466.065191] Rebooting in 86400 seconds..